Question 112666 in Ubuntu Question posted in
The official Ubuntu documentation can be found here.

Ubuntu – Azure devops deploy to function app with access restrictions

I am trying to deploy a function app via an Azure DevOps pipeline, however I am receiving the following error:

##[error]Failed to deploy web package to App Service.
##[error]To debug further please check Kudu stack trace URL : $URL_REMOVED
##[error]Error: Error: Failed to deploy web package to App Service. Ip Forbidden (CODE: 403)

From some googling a suggested solution seems to be to whitelist agent IP before the deployment, and then remove it after. I have added this to my pipeline, and I can see the agent IP get added to access restrictions, however the deployment still fails.

Here is my pipeline file:

# Node.js Function App to Linux on Azure
# Build a Node.js function app and deploy it to Azure as a Linux function app.
# Add steps that analyze code, save build artifacts, deploy, and more:
# https://learn.microsoft.com/azure/devops/pipelines/languages/javascript

trigger:
- main

variables:

  # Azure Resource Manager connection created during pipeline creation
  azureSubscription: 'xxx'

  # Function app name
  functionAppName: 'xxx'

  # Environment name
  environmentName: 'xxx'

  # Agent VM image name
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Build stage
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)

    steps:
    - task: NodeTool@0
      inputs:
        versionSpec: '10.x'
      displayName: 'Install Node.js'

    - script: |
        if [ -f extensions.csproj ]
        then
            dotnet build extensions.csproj --runtime ubuntu.16.04-x64 --output ./bin
        fi
      displayName: 'Build extensions'

    - script: |
        npm install
        npm run build --if-present
        npm run test --if-present
      displayName: 'Prepare binaries'

    - task: ArchiveFiles@2
      displayName: 'Archive files'
      inputs:
        rootFolderOrFile: '$(System.DefaultWorkingDirectory)'
        includeRootFolder: false
        archiveType: zip
        archiveFile: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip
        replaceExistingArchive: true

    - upload: $(Build.ArtifactStagingDirectory)/$(Build.BuildId).zip
      artifact: drop

- stage: Deploy
  displayName: Deploy stage
  dependsOn: Build
  condition: succeeded()
  jobs:
  - deployment: Deploy
    displayName: Deploy
    environment: $(environmentName)
    pool:
      vmImage: $(vmImageName)
    strategy:
      runOnce:
        deploy:
          steps:
          - task: AzureCLI@2
            inputs:
              azureSubscription: '$(azureSubscription)'
              scriptType: 'bash'
              scriptLocation: 'inlineScript'
              inlineScript: |
                 agentIP=$(curl -s https://api.ipify.org/)
                 az functionapp config access-restriction add -g xxx -n xxx --action Allow --ip-address $agentIP --priority 200
          - task: AzureFunctionApp@1
            displayName: 'Azure Functions App Deploy: xxx'
            inputs:
              azureSubscription: '$(azureSubscription)'
              appType: functionAppLinux
              appName: $(functionAppName)
              package: '$(Pipeline.Workspace)/drop/$(Build.BuildId).zip'

Is anyone able to advise where I am going wrong?

Tags:

3

Answers


  1. Chosen as BEST ANSWER
    0

    I found the solution to this. Function Apps have two IP Restriction sections, one for the App and one for the SCM site. The SCM site is the one that requires the IP to be whitelisted in order for the deployment to work:

    az functionapp config access-restriction add --scm-site true -g xxx -n xxx --action Allow --ip-address $agentIP --priority 200


  2. 0

    You can deploy Azure function app to azure devops pipeline using azure function app task from Azure devops pipeline tasks
    Here is the sample snippet for deploying azure function app

    variables:
  azureSubscription: Contoso
  # To ignore SSL error, uncomment the below variable
  # VSTS_ARM_REST_IGNORE_SSL_ERRORS: true

steps:
- task: AzureFunctionApp@1
  displayName: Azure Function App Deploy
  inputs:
    azureSubscription: $(azureSubscription)
    appName: samplefunctionapp
    package: $(System.DefaultWorkingDirectory)/**/*.zip

    Here is the Microsoft Document for deploying azure function app.

    Login or Signup to reply.
  3. 0

    I’ve had a simmilar issue while adding the agent IP to the network restrictions of an storage account (using Powershell but you’ll understand the idea), we added a 60s sleep to be sure that the setting are taken into account by Azure.

    $sa_name = "sapricer$env_prefix"
if ($null -ne (Get-AzStorageAccount -ResourceGroupName $sa_rg -AccountName $sa_name -ErrorAction Ignore)) {
    Write-Output "Storage account '$sa_name' exists"
    if ($enable) {
        Write-Output "Add ip rule for $current_ip on $sa_name..."
        Add-AzStorageAccountNetworkRule -ResourceGroupName $sa_rg -AccountName $sa_name -IPAddressOrRange $current_ip
    }
    else {        
        Write-Output "Remove ip rule for $current_ip on $sa_name..."
        Remove-AzStorageAccountNetworkRule -ResourceGroupName $sa_rg -AccountName $sa_name -IPAddressOrRange $current_ip
    }
}

Start-Sleep -Seconds 60
    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search